From 7bd027914c5ffd36bb408ef47dc749de3b6e063a Mon Sep 17 00:00:00 2001
From: macournoyer <macournoyer@gmail.com>
Date: Wed, 12 Aug 2009 17:28:38 -0400
Subject: [PATCH] Fix Remote address spoofing vulnerability in
 Connection#remote_address [Alexey Borzenkov]

---
 CHANGELOG               | 1 +
 lib/thin/connection.rb  | 2 +-
 lib/thin/request.rb     | 5 -----
 lib/thin/version.rb     | 4 ++--
 spec/connection_spec.rb | 5 +++--
 5 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 595de22c..4cc2b5a2 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,4 +1,5 @@
 == 1.2.3
+ * Fix Remote address spoofing vulnerability in Connection#remote_address [Alexey Borzenkov]
  * Fix uninitialized constant ActionController::Dispatcher error with Rails 1.2.3 [Chris Anderton] [#103 state:resolved]
 
 == 1.2.2 I Find Your Lack of Sauce Disturbing release
diff --git a/lib/thin/connection.rb b/lib/thin/connection.rb
index 1da7d1e1..7ead989a 100644
--- a/lib/thin/connection.rb
+++ b/lib/thin/connection.rb
@@ -180,7 +180,7 @@ def threaded?
 
     # IP Address of the remote client.
     def remote_address
-      @request.forwarded_for || socket_address
+      socket_address
     rescue Exception
       log_error
       nil
diff --git a/lib/thin/request.rb b/lib/thin/request.rb
index 60adae70..0add8a6b 100644
--- a/lib/thin/request.rb
+++ b/lib/thin/request.rb
@@ -21,7 +21,6 @@ class Request
     HTTP_VERSION      = 'HTTP_VERSION'.freeze
     HTTP_1_0          = 'HTTP/1.0'.freeze
     REMOTE_ADDR       = 'REMOTE_ADDR'.freeze
-    FORWARDED_FOR     = 'HTTP_X_FORWARDED_FOR'.freeze
     CONTENT_LENGTH    = 'CONTENT_LENGTH'.freeze
     CONNECTION        = 'HTTP_CONNECTION'.freeze
     KEEP_ALIVE_REGEXP = /\bkeep-alive\b/i.freeze
@@ -123,10 +122,6 @@ def remote_address=(address)
       @env[REMOTE_ADDR] = address
     end
 
-    def forwarded_for
-      @env[FORWARDED_FOR]
-    end
-
     def threaded=(value)
       @env[RACK_MULTITHREAD] = value
     end
diff --git a/lib/thin/version.rb b/lib/thin/version.rb
index bcab7e6b..c6242d2e 100644
--- a/lib/thin/version.rb
+++ b/lib/thin/version.rb
@@ -6,11 +6,11 @@ class PlatformNotSupported < RuntimeError; end
   module VERSION #:nodoc:
     MAJOR    = 1
     MINOR    = 2
-    TINY     = 2
+    TINY     = 3
     
     STRING   = [MAJOR, MINOR, TINY].join('.')
     
-    CODENAME = "I Find Your Lack of Sauce Disturbing".freeze
+    CODENAME = "Astroboy".freeze
     
     RACK     = [1, 0].freeze # Rack protocol version
   end
diff --git a/spec/connection_spec.rb b/spec/connection_spec.rb
index 151e7832..11672117 100644
--- a/spec/connection_spec.rb
+++ b/spec/connection_spec.rb
@@ -40,9 +40,10 @@
     @connection.process
   end
   
-  it "should return HTTP_X_FORWARDED_FOR as remote_address" do
+  it "should not return HTTP_X_FORWARDED_FOR as remote_address" do
     @connection.request.env['HTTP_X_FORWARDED_FOR'] = '1.2.3.4'
-    @connection.remote_address.should == '1.2.3.4'
+    @connection.stub!(:socket_address).and_return("127.0.0.1")
+    @connection.remote_address.should == "127.0.0.1"
   end
   
   it "should return nil on error retreiving remote_address" do